Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
8
Replies

When Apply ACL to DMZ_if - DMZ_if devices lose access to WWW - Why?

Go to solution
shanemonson
Level 1
Level 1

‎05-08-2007 05:35 AM - edited ‎03-11-2019 03:10 AM

When I apply an acl to the DMZ interface I lose the dmz devices connection to the internet? The access-list / access-group I apply works as it should, but internet is gone. When I remove the access-group, internet access comes back. I have tried applying other acl's, nat/global combinations w/no luck. I have added my complete running config for anyone to look at that would be willing to help. I have been self teaching myself this PIX 515e for 3 weeks with help from books, www and friends I think I have part of it figured out.... at least traffic is moving. Any help would be much appreciated.

Shane

Labels:
Preview file
6 KB
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎05-08-2007 05:36 AM

Because the acl really looks like this

access-list ACLDMZ_IN permit tcp any host 0.0.0.0 eq www

access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080

access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080

access-list ACLCMZ_IN deny ip any any

edit: read too quickly, where is your dns server for dmz hosts? If it is outside of DMZ you need to allow that traffic. I would write it like this. (if dns server is inside or outside)

access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080

access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080

access-list ACLDMZ_IN permit udp any host eq domain

access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0

access-list ACLDMZ_IN permit tcp any any eq www

access-list ACLCMZ_IN deny ip any any

If you are trying to restrict traffic to the inside, do not put the permit for www traffic first, that would allow www to inside as well and would defeat the purpose of filtering the traffic.

View solution in original post

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to shanemonson

‎05-08-2007 06:22 AM

Does that make sense? Allow what you want to allow inside to 10.x.x.x, deny everything else inside to 10.x.x.x, then allow everything outside (www, dns etc.).

View solution in original post

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to shanemonson

‎05-08-2007 06:38 AM

No, the acl with "eq domain" is the same as if it said "eq 53" or port 53, which is dns. The pix just changes the number to the word "domain". It will do the same for other ports as well like tcp 21, as it will say "eq ftp". So these two statements are the same thing

access-list ACLDMZ_IN permit udp any host eq domain

access-list ACLDMZ_IN permit udp any host eq 53

And yes, you will add another line for your other dns server. Remember, the pix looks at the access-list from the top down and will stop at the first match. That is why this works as it does.

Please rate if these help.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
acomiskey
Level 10
Level 10

‎05-08-2007 05:36 AM

Because the acl really looks like this

access-list ACLDMZ_IN permit tcp any host 0.0.0.0 eq www

access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080

access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080

access-list ACLCMZ_IN deny ip any any

edit: read too quickly, where is your dns server for dmz hosts? If it is outside of DMZ you need to allow that traffic. I would write it like this. (if dns server is inside or outside)

access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080

access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080

access-list ACLDMZ_IN permit udp any host eq domain

access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0

access-list ACLDMZ_IN permit tcp any any eq www

access-list ACLCMZ_IN deny ip any any

If you are trying to restrict traffic to the inside, do not put the permit for www traffic first, that would allow www to inside as well and would defeat the purpose of filtering the traffic.

0 Helpful

Go to solution
shanemonson
Level 1
Level 1
In response to acomiskey

‎05-08-2007 05:48 AM

DNS servers reside on outside if (currently this is an internal firewall that we are testing in preparation to put into production). Our in-house dns servers are currently on the "outside" if of the pix in it's current config (but are really our internal domain ctrlrs).

The 0.0.0.0 was an attempt to allow www access from the dmz if w/out blocking the rules needed for the two ip's that require 8080 traffic. It didn't work.

Thanks for responding, I am open to ANY suggestions as all my learnings have come from my own research...thanks in advance!

0 Helpful

Go to solution
shanemonson
Level 1
Level 1
In response to shanemonson

‎05-08-2007 05:50 AM

Oh! The rest of your message just came through... I hmay have reponded to quickly...I am reading now...

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to shanemonson

‎05-08-2007 06:22 AM

Does that make sense? Allow what you want to allow inside to 10.x.x.x, deny everything else inside to 10.x.x.x, then allow everything outside (www, dns etc.).

0 Helpful

Go to solution
shanemonson
Level 1
Level 1
In response to acomiskey

‎05-08-2007 06:33 AM

Most of it does....By the way, that did it! DMZ devices now can access INSIDE devices as well as hit the www. Thanks! Now I need to read up on why those commands worked. If you have time, I have a couple follow-up questions:

The "eq" to domain at the end of this ace..does the pix know it is coming from a domain?

access-list ACLDMZ_IN permit udp any host eq domain

Also, I assume I should add ACE's for both dns servers?

Thanks again for your prompt assistance!

Shane

Col, OH

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to shanemonson

‎05-08-2007 06:38 AM

No, the acl with "eq domain" is the same as if it said "eq 53" or port 53, which is dns. The pix just changes the number to the word "domain". It will do the same for other ports as well like tcp 21, as it will say "eq ftp". So these two statements are the same thing

access-list ACLDMZ_IN permit udp any host eq domain

access-list ACLDMZ_IN permit udp any host eq 53

And yes, you will add another line for your other dns server. Remember, the pix looks at the access-list from the top down and will stop at the first match. That is why this works as it does.

Please rate if these help.

0 Helpful

Go to solution
shanemonson
Level 1
Level 1
In response to acomiskey

‎05-08-2007 06:46 AM

Oh, that's right... I remember reading that somewhere (my brain is pix mush at this point)..... And yes, I forgot how important the order of the ace's are in an acl. Got it.

Rated you a "5"... would go 10 if I could. Much thanks from pix greenie in Col, Ohio. I'm not done with it though - a few more tests before it goes into prod. You may see more ?'s from me. Again, much obliged.

Shane

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to shanemonson

‎05-08-2007 06:49 AM

You could rate my first post a 5 and that would give me 10! haha

glad i could help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card